Wednesday, May 21, 2014

Password Compromises of Large User Repositories

Today’s breaking news of the theft of eBay’s password and customer database highlights the danger implicit in the favored target of cyber criminals: large corporate repositories with millions of consumer records.

The eBay compromise poses particular business problems for eBay. Some of the highest costs for businesses with data compromise and theft include loss of customer trust and remediation of possible, unauthorized transactions. With eBay’s quick and informative disclosures, and thorough transaction audit, these are challenges that primarily affect eBay.

However, for customers in a breached database, the effects can extend beyond these corporate type of problem. The customer information in the database is a gateway for criminals to additional data. 

First, when passwords are contained in the compromised information, these passwords are often reused as credentials for other websites. A 2013 Ofcom study reported that 55% of users used a single password for the majority of web sites they accessed, only a slight improvement from 60% in 2011.  When passwords are stolen, and combined with other identifying information in the same database (such as user IDs or email addresses), a breach of a single website like eBay can be extended to breaches of a much wider universe of websites for affected consumers.

Second, the compromise of passwords often leads to the critical problem that an attacker can appear to be an authorized user. This lets the attacker gain access to the resources protected by the password. In the case of eBay, this is a user’s auction activity, but it varies depending on the compromised website. For example, a similar breach to a file sync and share website would result in attackers gaining access to user data files stored in the cloud.

Cloud privacy protection requires protecting both login credentials and the data stored in the cloud. Securing login credentials with unique, strong passwords limits exposure to the single compromised website. Securing cloud based data adds a second level of protection, even when the login credentials are compromised, to prevent data loss.